Configuring Captive Portal with a PEFNG License

You must purchase and install the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license on the Mobility Conductor to use identity-based security features. There are two user roles that are important for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.:

The captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile specifies the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page and other configurable parameters. The initial user role configuration must include the applicable captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile instance.

Following are the basic tasks for configuring captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. using role-based access provided by the Policy Enforcement Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. software module:

  1. Install the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license on the primary Mobility Conductor.

    For more information, see Aruba Mobility Conductor Licensing Guide.

  2. Configure the user role for a default user.

    Create and configure user roles and policies for guest or registered captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. users. For more information, see Configuring Policies and Roles .

  3. Create a server group.

    If you are configuring captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. for registered users, configure the server(s) and create the server group. For more information, see Authentication Servers

    If you are using the internal database of the managed device for user authentication, use the predefined “Internal” server group. The "internal" server is the local database on the Mobility Conductor. You need to configure entries in the internal database, as described in Authentication Servers.

  4. Create the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile.

    Create and configure an instance of the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile. Specify the default user role for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. users. For more information, see Configuring Captive Portal Authentication Profiles.

  5. Configure the initial user role.

    Create and configure the initial user role for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. You also need to specify the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile instance in the initial user role configuration. For example, if you are using the predefined logon system role for the initial role, you need to edit the role to specify the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile instance. For more information, see Modifying the Initial User Role.

  6. Create the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. Profile.

    Create and configure an instance of the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile. Specify the initial user role. For more information, see Configuring the AAA Profile.

  7. Create the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. Profile. In this example, the profile name is ssid_c-portal.

    Create and configure an instance of the virtual AP profile that you apply to an AP group or AP name. Specify the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile you just created.

  8. Create the Virtual AP Profile. In this example, the profile name is vp_c-portal.

    Create and configure an instance of the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile for the virtual AP.

The following sections present the WebUI and CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. procedures for configuring the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile, initial user role, the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, and the virtual AP profile. Other chapters within this document detail the configuration of the user roles and policies, authentication servers, and server groups.

The following procedure describes how to configure captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with a PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license:

  1. Login to the Mobility Conductor.
  2. In the Managed Network node hierarchy, navigate to the Configuration > Authentication > L3 Authentication tab. Select the Captive Portal Authentication profile.
    1. In the Captive Portal Authentication Profile: New Profile window, click + to create a new Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Authentication profile and enter a profile name in the Profile Name field (for example, c-portal.
    2. Select the Default role (for example, employee) for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. users.
    3. Enable Guest login or User login, as well as other parameters (refer to Captive Portal Authentication Profile Parameters table).
    4. Click Submit.
  3. To specify the authentication servers, select Server Group under the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile you just configured.
    1. Select the Server group (for example, cp-srv) from the drop-down list.
    2. Click Submit.
  4. Select the AAA Profiles tab.
    1. Expand AAA Profiles and click + in the AAA profile: New Profile window to add a new profile. Enter a profile name in the Profile Name field (for example, aaa_c-portal).
    2. Set the Initial role to a role that you will configure with the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile.
    3. Click Submit.
  5. Navigate to the Configuration > Roles and Policies> Roles tab. Select a role and click + to add a new rule.
    1. To edit the predefined logon role, select the role and click + in the policies page that opens and select Access Control.
    2. To configure a new role, first configure policy rules in the Policies tab, then select the User Roles tab to add a new user role and assign policies.
    3. Select the profile from the Captive Portal Profile drop-down list in Authentication tab under the selected role.
    4. Click Submit.
  6. Navigate to the Configuration > AP Groups page to configure the virtual AP profile.
  7. Select the AP Group. Click + for the applicable AP group name or AP name.
  8. Under Profiles, select Wireless LAN, then select Virtual AP.
  9. Select NEW from the Add a profile drop-down list to create a new virtual AP profile. Enter the name for the virtual AP profile (for example, vp_c-portal), then click Save.
    1. In the Profile Details entry for the new virtual AP profile, select the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile you previously configured. A pop-up window displays the configured AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile parameters. Click Save.
    2. From the SSID profile drop-down list, select NEW. A pop-up window allows you to configure the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile.
    3. Enter the name for the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile (for example, ssid_c-portal).
    4. Enter the network name for the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile (for example, c-portal-ap).
    5. Click Submit.
  10. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters.
    1. Make sure Virtual AP enable is selected.
    2. For VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., select the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to which users are assigned (for example, 900).
    3. Click Submit.
  11. Click Pending Changes.
  12. In the Pending Changes window, select the checkbox and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license:

(host) [md] (config) #aaa authentication captive-portal c-portal

default-role employee

server-group cp-srv

(host) [md] (config) #user-role logon

(host) [md] (config-submode)#access-list session c-portal

captive-portal c-portal

(host) [md] (config) #aaa profile aaa_c-portal

initial-role logon

(host) [md] (config) #wlan ssid-profile ssid_c-portal

essid c-portal-ap

vlan 900

(host) [md] (config) #wlan virtual-ap vp_c-portal

aaa-profile aaa_c-portal

ssid-profile ssid_c-portal

Related Topics

Configuring Captive Portal in the Base Operating System

Sample Authentication with Captive Portal

Configuring Captive Portal Authentication Profiles